Signs your server may have been hacked and what to do about it.
Warning Signs
- Unexpected high CPU or network usage
- Unknown processes running
- Modified system files
- New user accounts you didn't create
- Unusual outbound network connections
Investigation Steps
# Check for unknown users
cat /etc/passwd | grep -v nologin | grep -v false
# Check for unknown SSH keys
cat ~/.ssh/authorized_keys
# Check running processes
ps auxf
# Check crontabs
crontab -l
ls -la /etc/cron.d/
# Check listening ports
ss -tulnp
# Check recent logins
last -20
lastb -20If Compromised
- Take the server offline (stop via portal)
- Back up any important data you need
- Rebuild the Breeze from scratch
- Investigate how the breach occurred
- Apply security hardening before going live